This page describes how to get the CTF network and Vulnbox running in a basic setup. There is a multitude of things which could be done differently. So if you already know how to connect to the VPN and host the Vulnbox, feel free to do it differently. In any case, also have a look at the general Setup docs.
We are going to use the VPN on Vulnbox option as described in our Setup docs. Individual team members will connect to the competition network using player VPN connections from their own machines. Our setup will work for both on-site and remote teams.
Hosting on a cloud provider
The cloud provider (e.g. GCP or DigitalOcean) you want to use must have an option to upload a VM image (often called Custom Image) to later start as a VM. A few days before the CTF we will release the Vulnbox image for download. Upload it to your cloud provider and wait for it to be available (This might take a while). Then create a VM from the uploaded image. We recommend at least 4 CPU-cores and 8 GB of RAM. The image has
cloud-init installed so during creation you should already be able to enter SSH keys to access the VM. You can also use the Serial Console of the VM and the root password printed there to login. After login, you should be greeted by our initial
accountsetup tool. Proceed with Configuring the Vulnbox.
Hosting on your own hardware
For Vulnbox self-hosting, you are going to need a PC with an x86-64 CPU (once per team). We recommend a CPU with at least 4 cores, VT-x support and 8 GB of RAM.
Since we're going to use the VirtualBox GUI, physical access to the hosting machine with monitor, keyboard and mouse is required.
In the rest of this guide, we're going to assume a standard Debian 12 ("Bookworm") Desktop install on the PC. Other Debian versions or Ubuntu should work similarly and the general setup should also be applicable to other distributions or even operating systems.
Download and install VirtualBox from its website.
Connecting to the Vulnbox
After we released the Vulnbox (or the test image), download it in OVA format.
Then, click "File" – "Import Appliance". Select the OVA image and finish the wizard without any changes. Open the settings for the imported VM. In the "Network" section, make sure that "Attached to: NAT" is selected.
Now comes a bit of a tricky part: The Vulnbox will already work if you start it now and you'll also be able to log in through the VirtualBox GUI. However, it would be kind of hard to get a VPN config onto it, since copy/paste doesn't work. To work around that, you can connect via SSH with the root password that is printed on tty1 and the serial consoles. To reach the VM, configure a port forwarding:
- Go to "Settings -> Network".
- In the tab "Adapter 1", make sure it is "Attatched to: NAT",
- Click the Button ">Advanced -> [Port Forwarding]"
- In the Port Forwarding window, click "+" in the top right corner.
- Fill in Protocol TCP, Host Port 2222, and Guest Port 22. Leave the fields for IP blank. (You can use any other port instead of 2222)
On the host, you can use
ssh -p 2222 root@localhost to connect to the Vulnbox. You should be greeted by our initial
Configuring the Vulnbox
accountsetup tool, you first have to enter your team number. It can be found on the website by clicking on your team name (in the upper right corner) while you're logged in.
Next, you can paste one or more SSH keys for future logins.
accountsetup asks for the network mode, select
vpn. In the next step, paste the the Vulnbox VPN config, "vuln-faustctf.conf", from the Downloads page.
The Vulnbox will reboot.
Your personal VPN Status History page should now show a successful WireGuard Handshake, Gateway Ping, and Vulnbox Ping.
Decrypting the Services
When the CTF starts we will release the decryption password. To start the decryption process launch
/srv/extract-services.py /srv/vulnbox_services.tar.xz.gpg and enter the password. After the script exited all services should be up and running.
Joining Player VPN
Connect your personal machine (the one you wanna work with during the CTF) to the player VPN using "player-faustctf.conf". How do this exactly will depend on your operating system, but you should be able to find plenty of OpenVPN guides.
You should be able to log into the Vulnbox via SSH as root at
fd66:666:<team-number>::3 for the testing Vulnbox) and ping
submission.faustctf.net from your local machine as well as the Vulnbox.
This last step can (and should) be done by all individual team members.